GB2506622A - Anti-virus data management - Google Patents

Anti-virus data management Download PDF

Info

Publication number
GB2506622A
GB2506622A GB1217732.5A GB201217732A GB2506622A GB 2506622 A GB2506622 A GB 2506622A GB 201217732 A GB201217732 A GB 201217732A GB 2506622 A GB2506622 A GB 2506622A
Authority
GB
United Kingdom
Prior art keywords
data
malicious content
storage
examining
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB1217732.5A
Other versions
GB201217732D0 (en
Inventor
Rolf Schaefer
Ruben Straus
Mathias Dietz
Jens-Peter Akelbein
Nils Haustein
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to GB1217732.5A priority Critical patent/GB2506622A/en
Publication of GB201217732D0 publication Critical patent/GB201217732D0/en
Priority to US14/018,140 priority patent/US9189625B2/en
Publication of GB2506622A publication Critical patent/GB2506622A/en
Priority to US14/869,509 priority patent/US9536085B2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

An anti-virus data management method comprises, receiving an instruction to write data to storage 231; examining the data for malicious content (such as malware and viruses) using a malicious content scanner 220; wherein, if no malicious content is found, writing the data and linking/associating a signature representing the version of the malicious content scanner with the data. A further method comprises, receiving an instruction to read data (identified by a data identified) from storage, the first data linked with a malicious content scanner version signature; determining the version signature of the current malicious content scanner; and examining the data for malicious content if the signatures do not match. These methods may be used in a backup system 200/230 that preserves old copies of data, and may be used in conjunction with a backup scheme where certain copies are deleted. If examining of data reveals malicious content, then an older copy may be identified (using the data identifier) and examined unless it has already been scanned using the current malicious content scanner.

Description

DESCRIPTION
ANTI-VIRUS DATA MANAGEMENT
BACKGROUND
The present disclosure is an invention disclosure relating to a data management method, a data management system as well as a conesponding computer program product.
It is known to read and write data to storage, e.g. using a backup system that preserves historic versions of data in accordance with a backup scheme. For example, such a backup scheme may maintain hourly backups of a file for thc last 24 hours, daily backups of the file for thc last month and weekly backups of thc file for all previous months. It is moreover known to examine data for malicious content for the sake of curbing spread of computer viruses.
The present disclosure expounds upon this background.
BRTEF SUMMARY
Loosely speaking, the present disclosure teaches a method that coordinates virus prevention techniques and data backup techniques to minimize spread of computer viruses while simultaneously reducing the user encumbrance imposed by anti-virus precautions and infected data.
Inter alia, the present disclosure teaches a data management method that examines a file for malicious content when the tile is to be written to storage, e.g. when(ever) a user choose to save or save a copy ofa file, and that stores a read-only version ofthe file together with a signature identiing the version of a malicious content scanner used to perform the examination if the examination reveals no malicious content. The present disclosure also teaches a data management method that retrieves a file and an associated malicious content scanner version signature from read-only storage in response to a read instruction and examines the file for malicious content if the signature indicates that the file was previously examined for malicious content using an outdated version of the malicious content scanner.
Since a read-only, virus-free version of the file ("virus-free" not being meant in the absolute sense, but rather relative to the viruses known to the malicious content scanner at the time the file was examined) is stored when(ever the file is written to storage, the disclosed method ensures that a virus-free backup version of the file will be available should a later instance of that file become infected. Since a malicious content scanner version signature is associated with the stored file, one can easily determine the degree to which the file may need to be reexamined for malicious content when a new instance of the file is created from the stored, read-only vcrsion, thus avoiding redundant scans.
Still looscly speaking, the disclosed method may comprise deleting the read-only files as stipulated by a data backup scheme. For example, as touched upon above, such a backup scheme may maintain hourly backups of a file for the last 24 hours, daily backups of the file for the last month, weekly backups of the file for all previous months and delete all other backups of the file.
In this fashion, the disclosed method ensures that sufficiently frequent, virus-free backups of the file are maintained without overtaxing the storage system. Should a backup file later prove to be infected, sequentially older versions of the file can be (automatically) retrieved until an uninfccted vcrsion is found.
The techniques of the present disclosure may be complementary to "normal" data storage as known in the art.
In one aspect, as touched upon supra, the present disclosure relates to a data management method.
The method may comprise examining (first) data for malicious content. This (first) examining may be carried out by means of a malicious content scanner. The examining may be carried out in response to an instruction to write the (first) data to storage, e.g. a user instruction to save or copy a file. As such, the method may comprise receiving (such) a user instruction, e.g. via a user input device. Such examining may be carried out in response to every (user) instruction to write data to storage. In other words, the method may comprise subjecting all (user generated) data to be written to storage to such examining. Similarly, the examining maybe carried out at no more often than a given interval, e.g. once an hour or once a day, in response to an instruction to write the (first) data to storage, e.g. a user instruction to save or copy a file. The given interval may be a user-specified interval. Furthermore, the writing of (user generated) data to storage may be dependent on an outcome of the examining.
The examining may comprise searching the (first) data for any one or more of a plurality of strings / character sequences (so-called "fingerprints") indicative of malicious content. As such, the method may comprise receiving and storing such a plurality of strings / character sequences, e.g. in a computer memory. If the examining reveals malicious content in the (first) data, the (first) data may be subjected to processing, e.g. as stipulated by an anti-virus policy. For example, the (first) data may be cleansed of the malicious content or the (first) data may be deleted.
The method may comprise writing the (first) data to storage, e.g. if the examining reveals no malicious content in the (first) data. Similarly, the method may comprise writing (first) metadata and (second) data linking the metadata to the (first) data to storage, e.g. if the examining reveals no malicious content in the (first) data. The (first) metadata may comprise file information such as any (one or more) of a time when the (first) data is written to storage, a data identifier (e.g. a file name) for the (first) data, a size of the (first) data, read and/or write privileges for the (first) data, etc. The data identifier may be specified by the instruction to write the (first) data to storage. The (first) metadata may comprise a (malicious content scanner) signature, e.g. a (malicious content scanner) signature may be representative of a version of the malicious content scanner at a time of the examining (of the (first) data for malicious content).
As such, the signature may be representative of the plurality of strings / character sequences available to the malicious content scanner at the time of the examining, i.e. representative of the set of "fingerprints" of malicious content known to / stored by the malicious content scanner at the time of the examining.
In the present disclosure, the conditional expression "if' may be understood in the sense of "sub ject to the condition that," i.e. in the sense of "if and only ill" Any (one or more or each) of the (first) data, the signature and the (second) data may be written to storage as a read-only data, e.g. as data written to a read-only medium or as data identified in a file system of the storage as being read-only for all users, for all users without administrator or root privileges or for all users without root privileges.
Any storing of data / information as well as any writing of data / information to storage described in the present disclosure may be effected by a data storage system, e.g. a data storage system that operates in accordance with a data storage scheme. The data storage scheme may stipulate a scheme for data distribution and/or redundancy among a plurality of storage media (e.g. a RAID scheme) and/or a backup scheme for retaining / deleting (backup copies of) data over time. Data storage system may comprise one or more storage devices, e.g. hard disks, tape drives, solid state storage, etc. In lieu of or in addition to any of the (related / corresponding) actions described in the present disclosure, the method may comprise one or more control actions. In this respect, the method may comprise instigating a malicious content scanner to examine the (first) data for malicious content. Similarly, the method may comprise instigating a data storage system to write the (first) data to storage as described above, e.g. together with a (malicious content scanner) signature and (second) data linking the signature to the (first) data and/or as read-only data. Such instigating may be effected by a controller and may comprise sending an examine instruction (from the controller) to the malicious content scanner and/or a write instruction (from the controller) to the data storage system. The examine instruction may comprise the (first) data, a link to the (first) data or other information that allows the malicious content scanner to obtain the (first) data. Similarly, the write instruction may comprise the (first) data, a link to the (first) data or other information that allows the data storage system to obtain the (first) data. Furthermore, the method may comprise receiving (at the controller) a result of the examining (of the (first) data for malicious content), e.g. from the malicious content scanner. Similarly, the method may comprise receiving (at the controller) a signature of the malicious content scanner at the time of the examining. The write instruction may comprise the signature, a link to the signature or other information that allows the data storage system to obtain the signature. The method may moreover comprise receiving a (user) instruction to write (the first) data to storage.
The method may comprise storing, e.g. if the examining reveals malicious content in the (first) data, information relating to the (first) data and/or to the (write) instruction, which information may be useful for determining a source of the malicious content and/or for preventing further spreading of the malicious content. In this respect, method may comprise storing at least one of a time of (receipt of) the instruction, a user associated with the instruction (e.g. a user from whom the instruction originated), a computer associated with the instruction (e.g. a computer from which the instruction originated or via which the instruction was received), a source of the instruction (e.g. an application or device from which the instruction originated), a file type of the (first) data, a user associated with the (first) data (e.g. a user who modified the data and/or who initially created the data), a computer associated with the (first) data (e.g. a computer from which the data originated or via which the data was received) and a source of the (first) data (e.g. an application or device from which the data originated). The method may comprise writing such information to storage as read-only data, e.g. as data written to a read-only medium or as data identified in a file system of the storage as being read-only for all users, for all users without administrator or root privileges or for all users without root privileges. The actions associated with such storage of information may be coordinated and/or instigated by the controller.
The method may comprise retrieving (second) data from (read-only) storage. Similarly, the method may comprise retrieving (second) data and a (second) signature, e.g. a (malicious content scanner version) signature, linked to the (second) data from (read-only) storage. The retrieving may be effected if the examining reveals malicious content in the (first) data. The (second) data may be the youngest (available) data identified by the data identifier (of the write instruction), e.g. the youngest (available) data having a storage date predating the instruction to write the (first) data to storage. The method may comprise informing a user of the malicious content in the (first) data and offering the retrieved (second) data to the user if the examining reveals malicious content in the (first) data.
The method may comprise performing statistical analysis of the information. The statistical analysis may comprise determining whether a frequency with which write and/or read instructions from a given user andlor computer result in a revealing of malicious content exceeds a given threshold. The method may comprise communicating a warning to a user if a result of the statistical analysis falls within a range indicative of an infection with malicious content. For example, a system administrator can be advised if more than 5% of the files read and written by a particular user are determined to contain malicious content. Such statistical analysis may be effected by the controller.
The method may comprise deleting the read-only (first) data, e.g. at a time stipulated by backup scheme (of the data storage system). For example, the data storage system may comprise a process with administrator or root privileges that prunes out unnecessarily frequent backups as they age as stipulated by the backup scheme. For example, as touched upon above, such a backup scheme may maintain hourly backups of a file for the last 24 hours, daily backups of the file for the last month, weekly backups of the file for all previous months and delete all other backups of the file. For the sake of data security, such a process may be carefully programmed to reduce the likelihood of the process's privileges being maliciously exploited.
The method may comprise retrieving data, e.g. the aforementioned (first) data, from (read-only) storage. Similarly, the method may comprise retrieving (the first) data and a (first) signature, e.g. the aforementioned (malicious content scanner version) signature, linked to the (first) data from (read-only) storage. The retrieved data may be a youngest version of the data (stored in the data storage system). The retrieving of data may be effected in response to a (user) instruction to read (first) data identified by a data identifier from storage. As such, the method may comprise receiving (such) a user instruction, e.g. via a user input device. The retrieved data may be data identified by the data identifier. The data identifier may comprise a unique file ID, a file name, a pointer to a file andior other information that allows data in storage to be (readily and/or uniquely) identified. As touched upon above, the read-only storage need not be a read-only medium. Instead, storage of the data may be read-only in the sense that the user / system retrieving the data or requesting retrieval of the data does not have the privileges necessary to alter or delete the data.
The method may comprise determining a current version signature of a malicious content scanner, i.e. a signature of a malicious content scanner in its current version. As touched upon above, the signature maybe representative of the plurality of strings / character sequences currently available to the malicious content scanner, i.e. representative of the set of "fingerprints" of malicious content currently known to / stored by the malicious content scanner.
The method may comprise examining the (retrieved / first) data for malicious content, e.g. if the (retrieved! first) malicious content scanner version signature does not match the current version signature, for example if the current version signature indicates that the current malicious content scanner includes "fingerprints" of malicious content not known to the malicious contcnt scanncr at thc tinc thc (rctricvcd! first) data was examined for malicious content bcforc being written to (read-only) storage. This (second) examining may be carried out by means of the current malicious content scanner.
The method may comprise storing, e.g. if the (second) examining reveals malicious content in the (retrieved! first) data, information relating to the (retrieved! first) data and/or to the (read) instruction, which information may be useful for determining a source of the malicious content and!or for preventing further spreading of the malicious content as described above.
The method may comprise retrieving (second) data from (read-only) storage. Similarly, the method may comprise retrieving (second) data and a (second) signature, e.g. a (malicious content scanner version) signature, linked to the (second) data from (read-only) storage. The retrieving may be effected if the (second) examining reveals malicious content in the (retrieved! first) data. The (second) data may be the youngest (available) data identified by the data identifier (of the read instruction) and having a storage date predating a(n earliest) storage date of the (retrieved! first) data.
As touched upon above, the method may comprise retrieving (second) data from (read-only) storage, the (second) data being the youngest (available) data identified by the data identifier (of the (write) instruction to write (first) data to storage) and having a storage date predating the write instruction. Similarly, the method may comprise retrieving (second) data from (read-only) storage, the (second) data being the youngest (available) data identified by the data identifier (of the (read) instruction to read (first) data from storage) and having a storage date predating a(n earliest) storage date of the (first) data. As such, since the storage date of the retrieved (second) data will typically predate the read instruction, the (second) data may be summarily defined as youngest data identified by the data identifier and having a storage date predating an elder of a storage date of the first data and the (read/write) instruction.
For example, the method may comprise retrieving the next oldest version of a file idcntiflcd by the data identifier rclativc to a vcrsion of thc flic rcvealcd (by the second cxamining) to contain malicious content. The youngest (availabic) data idcntificd by thc data identifier (of the read instruction) having a storage date predating a(n earliest) storage date of the (retrieved / first) data may be determined using metadata linked to the respective data, i.e. using metadata linked to the (retrieved / first) data and/or metadata linked to the youngest (available) data.
The method may comprise examining the (second) data for malicious content, e.g. if the (retrieved / second) signature does not match the current yersion signature, for example if the current vcrsion signaturc indicatcs that the cuncnt malicious content scanner includcs "fingerprints" of malicious contcnt not known to the malicious content scanner at the time the (retrieved / second) data was examined for malicious content before being written to (read-only) storage. This (third) examining may be carried out by means of the current malicious content scanncr.
Thc mcthod may comprisc cxamining (third) data for malicious contcnt, e.g. as described above. This (fourth) examining may be carried out by means of a malicious content scanner. The (fourth) examining maybe carried out in response to an instruction to write the (third) data to storage, e.g. a user instruction to save or copy a file. As such, the method may comprise receiving (such) a user instruction, e.g. via a user input device. As touched upon above, examining may be carried out in response to every (user) instruction to write data to storage. In other words, the method may comprise subjecting all (user generated) data to be written to storage to such cxamining. Furthermore, the writing of (user generated) data to storagc may be dependent on an outcome of the examining.
The method may comprise writing the (third) data to storage, e.g. if the (fourth) examining reveals no malicious content in the (third) data. Similarly, the method may comprise writing (second) metadata and (fourth) data linking the (second) metadata to the (fourth) data to storage, e.g. if the (fourth) examining reveals no malicious content in the (third) data. The (second) metadata may comprise file information such as any (one or more) of a time when the (fourth) data is written to storage, a size of the (fourth) data, read and/or write privileges for the (fourth) data, etc. The metadata may comprise a (malicious content scanner) signature, e.g. a (malicious content scanner) signature may be representative of a version of the malicious content scanner at a time of the (fourth) examining (of the (third) data for malicious content).
The method may comprise deleting (retrieved) data from (read-only) storage if an examining of the (retrieved) data reveals malicious content. For example, the method may comprise deleting the first data from (read-only) storage if the second examining of the first data reveals malicious content.
As touched upon supra, the method may comprise one or more control actions in lieu of or in addition to any of the (related! corresponding) actions described in the present disclosure.
In this respect, the method may comprise instigating a data storage system to retrieve data identified by a data identifier from (read-only) storage, e.g. together with a (malicious content scanner) signature and (second) data linking the signature to the (retrieved) data. Similarly, the method may comprise instigating a malicious content scanner to examine thc (retrieved) data for malicious contcnt. Such instigating may be effected by a controller and may comprise sending a read instruction (from the controller) to the data storage system and!or an examine instruction (from the controller) to the malicious content scanner. The read instruction may comprise the data identifier and may comprise a storage date of retrieved data revealed to contain malicious content. Similarly, the examine instruction may comprise the (retrieved) data, a link to the (retrieved) data or other information that allows the malicious content scanner to obtain the (retrieved) data. Furthermore, the method may comprise receiving (at the controller) a result of the examining (of the (retrieved) data for malicious content), e.g. from the malicious content scanner. The method may comprise determining whether a (retrieved) malicious content scanner version signature matches a current version signature. Such determining may be effected by the controller, by the malicious content scanner or by the controller in cooperation with the malicious content scanner. The method may moreover comprise receiving a (user) instruction to retrieve (the first) data to storage.
While the teachings of the present disclosure have been discussed hereinabove mainly in the form of a method, the teachings may be embodied, inutatis,nutanths, in the form of a system, e.g. a data management system, or a computer program product, as will be appreciated by the person skilled in the art.
The system may comprise a controller. Furthermore, the system may comprise a data storage system and may comprise a malicious content scanner.
As touched upon above, the method may be effected by the controller, e.g. a controller that coordinates interaction between the malicious content scanner and the data storage system or a controller that coordinates interaction between the malicious content scanner, the data storage system and a computer operating system. The system may be configured and adapted to effect any of the actions described above with respect to the disclosed method. Similarly, the system may comprise a control component that effects, coordinates and/or instigates any of the actions described above with respect to the disclosed method.
The system may comprise a user input device that receives a user input as discussed hereinabove.
Any of the aforementioned components of the system may communicate with any other of the aforementioned components of the system. In this respect, the system may comprise one or more communication busses / links interconnecting the respective components.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
Figure 1 schematically shows an embodiment of a data management system in
accordance with the present disclosure;
Figure 2 schematically shows another embodiment of a data management system in
accordance with the present disclosure;
Figure 3 schematically shows a flow diagram of an embodiment of a data management
method in accordance with the present disclosure;
Figure 4 schematically shows a flow diagram of another embodiment of a data management method in accordance with the present disclosure; and Figure 5 schematically shows a flow diagram of another embodiment of a data management method in accordance with the present disclosure.
DETAILED DESCRIPTION
Figure 1 schematically shows an embodiment of a data management system 100 in accordance with the present disclosure, e.g. as described above.
In the illustrated embodiment, data management system 100 comprises a controller 110, an optional malicious content scanner 120, an optional data storage system 130 as well as a communication bus 140 comprising a plurality of communication links 141 (for the sake of legibility, only one of the communication links bears a reference sign). Data storage system 130 comprises a storage device 131, e.g. a hard disk. Communication bus 140 and the communication links 141 communicatively interconnect the aforementioned components 110-and an end-user computer system 150.
Figure 2 schematically shows an embodiment of a data management system 200 in accordance with the present disclosure, e.g. as described above.
In the illustrated embodiment, data management system 200 comprises a controller 210, an optional malicious content scanner 220 and an optional data storage system 230 comprising a storage device 231. Controller 210 is in bidirectional communication with malicious content scanner 220 and data storage system 230 as well as with an end-user computer system 240.
Operation of data management system 200 may be carried out as follows.
When a user of end-user computer system 240 indicates their desire to save a file, a write instruction identi'ing the file is communicated from end-user computer system 240 to controller 210. Controller 210 instigates malicious content scanner 220 to examine the file for malicious content and receives a result of the examining from malicious content scanner 220. If the result of the examining reveals no malicious content in the file, controller 210 instigates data storage system 230 to write a read-only version of the file to storage, e.g. to storage device 231. The file may be written to storage together with metadata comprising the signature of malicious content scanner 220 that was valid at the time the file was examined.
When the user of end-user computer system 240 indicates their desire to retrieve a file identifiable by a particular file identifier, e.g. a filename or a file ID, a read instruction idcntitjing the fic is communicated from end-user computer system 240 the controller 210.
Controller 210 instigates data storage system 230 to retrieve (a most recent version) of the file identified by the file identifier. Data storage system 230 retrieve the The identified by the file identifier together with a malicious content scanner version signature linked to the file.
Controller 210 obtains a current version signature of the malicious content scanner and compares it with the malicious content scanner version signature retrieved with the file. If the two signatures match, controller 210 passes the file on to end-user computer system 240. If the two signatures do not match, controller 210 instigates malicious content scanner 220 to (re)cxamine the retrieved file for malicious content using the current, updated signature. If malicious content scanner 220 returns a result indicating that the retrieved file does not contain malicious content, controller 210 passes the file on to end-user computer system 240. If malicious content scanner 220 returns a result indicating that the retrieved file does contain malicious content, controller 210 instigates data storage system 230 to retrieve the next youngest of the file identified by the file identifier and instigates malicious content scanner 220 to examine the retrieved (next youngest) The for malicious content. If malicious content scanner 220 again returns a result indicating that the retrieved file does not contain malicious content, the file is passed on to end-user computer system 240. Otherwise, the process of retrieving and examining sequentially older versions of the file is reiterated until all versions of the tile have been exhausted or a version without malicious content is been found.
Once malicious content scanner 220 has returned of result indicating that a retrieved file contains malicious content, controller 210 may presume that older versions of that file have not been examined using the most recent version of malicious content scanner 220. Accordingly, controller 210 may refrain from instigating data storage system 230 to retrieve a malicious content scanner version siwiature when instigating retrieval of earlier versions of that file.
Similarly, controller 210 may subject all earlier versions of that file to an examination for malicious content, i.e. without comparing a signature linked to that file to the current version signature of malicious content scanner 220.
Figurc 3 schematically shows a flow diagram 300 of an embodiment of a data selection method in accordance with the present disclosure, e.g. as described above.
In the illustrated embodiment, flow diagram 300 comprises a step 310 of examining data for malicious content, a step 320 of writing data to storage as read-only data and an optional step 330 of deleting the read-only data a time stipulated by a backup scheme.
Figure 4 schematically shows a flow diagram 400 of another embodiment of a data selection method in accordance with the present disclosure, e.g. as described above.
In the iHustrated embodiment, flow diagram 400 comprises a step 410 of retrieving data from read-only storage, a step 420 of determining a current version signature, a step 430 of examining the retrieved data for malicious content and an optional step 440 of storing information for determining a source of malicious content.
Figure 5 schematically shows a flow diagram 500 of another embodiment of a data selection method in accordance with the present disclosure, e.g. as described above.
In the illustrated embodiment, flow diagram 500 comprises a step 510 of retrieving first data from read-only storage, a step 520 of determining a current version signature, a step 530 of examining the retrieved data for malicious content, an optional step 540 of retrieving second data from read-only storage, an optional step 550 of examining the second data for malicious content, an optional step 560 of examining third data for malicious content, an optional step 570 of writing the third data to read-only storage, an optional step 580 of deleting the first data having malicious content from the read-only storage and an optional step 590 of deleting the third data at a time stipulated by backup scheme. As shown by the arrow, the method can flow from step 550 back to step 540, e.g. if the data retrieved at step 540 is determined at step 550 to contain malicious content.
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or computer program product. Accordingly, aspects of the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a circuit," "module" or "system." Furthermore, aspects of the present disclosure may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in bascband or as part of a carrier wave.
Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object -13-oriented programming language such as Java, Smalitalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone sofiware package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present disclosure are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the present disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions.
These computer program instructions may be provided to a processor of a general purpose computer, specia' purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmaNe data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram Hock or blocks.
The block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the flinctions discussed hereinabove may occur out of the disclosed order. For example, two functions taught in succession may, in fact, be executed substantially concurrently, or the functions may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The termino logy used herein is for the purpose of describing particular embodiments only and is not intcndcd to be limiting of thc invcntion. As used herein, thc singular forms "a', "an" and "the" arc intcndcd to includc thc plural forms as well, unless thc context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. In the present disclosure, the verb "may" is used to designate optionality / noncompulsoriness. In other words, something that "may" can, but need not.
The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed.
Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated. -15-

Claims (15)

  1. CLAIMSA data management method, comprising: examining, in response to an instruction to write first data to storage, said first data for malicious content by means of a malicious content scanner (120); and writing said first data, a signature representative of a version of said malicious content scanner at a time of said examining and second data linking said signature to said first data as read-only data to storage if said examining reveals no malicious content in said first data.
  2. 2. A data management method, comprising: retrieving, in response to an instruction to read first data identified by a data identifier from storage, said first data and a first malicious content scanner version signature linked to said first data from read-only storage; determining a current version signature of a malicious content scanner (120); and examining said first data for malicious content if said first malicious content scanner version signature does not match said current version signature.
  3. 3. The method of claim 1 or 2, comprising: retrieving, if said examining of said first data reveals malicious content, second data and a second malicious content scanner version signature linked to said second data from read-only storage, said second data being youngest data identified by said data identifier and having a storage date predating an elder of a storage date of said first data and said instruction; examining said second data for malicious content if said second malicious content scanner version signature does not match said current version signature.
  4. 4. The method of claim 2 or 3, comprising: examining, in response to an instruction to write third data identified by said data identifier to storage, said third data for malicious content by means of said malicious content scanner, and writing said third data, said data identifier, a signature representative of a version of said malicious content scanner at a time of said examining of said third data and fourth data linking said signature and said data identifier to said third data as read-only data to storagc if said cxamining rcvcals no malicious contcnt in said third data.
  5. 5. The method of any one of claims 2 to 4, comprising: deleting said first data from said read-only storage if said examining of said first data reveals malicious content.
  6. 6. The method of claim I or 4, comprising: deleting said read-only data at a time stipulated by a backup scheme.
  7. 7. The method of claim I or 2, comprising at least one of: storing, if said examining of said first data reveals malicious content, at least one of a time of said instruction, a user associated with said instruction, a computer (150) associated with said instruction, a source of said instruction, a file type of said first data, a user associated with said first data, a computer (150) associated with said first data and a source of said first data.
  8. 8. A data management systcm (100), comprising: a data storage system (130); a malicious content scanner (120); and a controllcr (110) that instigates, in response to an instruction to write first data to storage, said malicious content scanner to examine said first data for malicious content, and instigates, if said examining reveals no malicious content in said first data, said data storage system to write said first data, a signature representative of a version of said malicious content scanner at a time of said examining and second data linking said first data to said signature as read-only data to storage.
  9. 9. A data management system (100), comprising: a data storage system (130); a malicious content scanner (120); and a controller (110) that instigates, in response to an instruction to read first data identified by a data identifier from storage, said data storage system to retrieve said first data and a first malicious content scanner version signature linked to said first data from read-only storage; instigates said malicious content scanner to examine said first data for malicious content if said first malicious content scanner version signature does not match a current version signature of a malicious content scanner.
  10. 10. The system of daim 8 or 9, wherein said controller: instigates, if said examining of said first data reveals malicious content, said data storage system to retrieve second data and a second malicious content scanner version signature linked to said second data from read-only storage, said second data being youngest data identified by said data identifier and having a storage date predating an elder of a storage date of said first data and said Struction and instigates said malicious content scanner to examine said second data fbr malicious content if said second malicious content scanner version signature does not match said current version signature.
  11. 11. Thesystemofclaim9or 1O,whereinsaidcontroller: instigates, in response to an instruction to writc third data identiflcd by said data identifier to storage, said malicious content scanner to examine said third data for malicious content, and instigates, if said examining reveals no malicious content in said third data, said data storage system to write said third data, said data identifier, a signature representative of a version of said malicious content scanner at a time of said examining of said third data and fourth data linking said signature and said data identifier to said third data as read-only data to storage.
  12. 12. The system of any one of claims 9-11, wherein said controller instigates deletion of said first data from said read-only storage if said examining of said first data reveals malicious content.
  13. 13. The system of claim 8 or 11, wherein said data storage system deletes said read-only data at a time stipulated by a backup scheme.
  14. 14. The system of claim 8 or 9, wherein said controller instigates, if said examining of said first data reveals malicious content, a storing of at least one of a time of said instruction, a user associated with said instruction, a computer (150) associated with said instruction, a source of said instruction, a ifie type of said first data, a user associated with said first data, a computer (150) associated with said first data and a source of said first data..
  15. 15. A computer program product stored on a computer usable medium, comprising computer readable program means for causing a computer to perform a method according to any one of claims 1 to 7 when said program is run on said computer.
GB1217732.5A 2012-10-04 2012-10-04 Anti-virus data management Withdrawn GB2506622A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB1217732.5A GB2506622A (en) 2012-10-04 2012-10-04 Anti-virus data management
US14/018,140 US9189625B2 (en) 2012-10-04 2013-09-04 Data management of potentially malicious content
US14/869,509 US9536085B2 (en) 2012-10-04 2015-09-29 Data management of potentially malicious content

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB1217732.5A GB2506622A (en) 2012-10-04 2012-10-04 Anti-virus data management

Publications (2)

Publication Number Publication Date
GB201217732D0 GB201217732D0 (en) 2012-11-14
GB2506622A true GB2506622A (en) 2014-04-09

Family

ID=47225646

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1217732.5A Withdrawn GB2506622A (en) 2012-10-04 2012-10-04 Anti-virus data management

Country Status (2)

Country Link
US (2) US9189625B2 (en)
GB (1) GB2506622A (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8082584B1 (en) * 2007-10-16 2011-12-20 Mcafee, Inc. System, method, and computer program product for conditionally performing a scan on data based on an associated data structure
GB2506622A (en) * 2012-10-04 2014-04-09 Ibm Anti-virus data management
CN108363929B (en) * 2018-02-09 2022-05-13 广州旭能信息科技有限公司 System and method for generating information elimination report of storage device and preventing tampering
US11329956B2 (en) * 2020-07-28 2022-05-10 Bank Of America Corporation Scalable encryption framework using virtualization and adaptive sampling

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040068664A1 (en) * 2002-10-07 2004-04-08 Carey Nachenberg Selective detection of malicious computer code
US20120246729A1 (en) * 2011-03-24 2012-09-27 Samsung Electronics Co., Ltd. Data storage devices including integrated anti-virus circuits and method of operating the same

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5956481A (en) * 1997-02-06 1999-09-21 Microsoft Corporation Method and apparatus for protecting data files on a computer from virus infection
US7406603B1 (en) * 1999-08-31 2008-07-29 Intertrust Technologies Corp. Data protection systems and methods
US6851057B1 (en) * 1999-11-30 2005-02-01 Symantec Corporation Data driven detection of viruses
US7346928B1 (en) * 2000-12-01 2008-03-18 Network Appliance, Inc. Decentralized appliance virus scanning
US7331061B1 (en) * 2001-09-07 2008-02-12 Secureworks, Inc. Integrated computer security management system and method
US7581253B2 (en) * 2004-07-20 2009-08-25 Lenovo (Singapore) Pte. Ltd. Secure storage tracking for anti-virus speed-up
US7814057B2 (en) 2005-04-05 2010-10-12 Microsoft Corporation Page recovery using volume snapshots and logs
US7756834B2 (en) 2005-11-03 2010-07-13 I365 Inc. Malware and spyware attack recovery system and method
US20080195676A1 (en) 2007-02-14 2008-08-14 Microsoft Corporation Scanning of backup data for malicious software
US8104088B2 (en) * 2007-05-11 2012-01-24 Microsoft Corporation Trusted operating environment for malware detection
US8104089B1 (en) * 2007-12-31 2012-01-24 Symantec Corporation Tracking memory mapping to prevent packers from evading the scanning of dynamically created code
US8302192B1 (en) * 2008-04-30 2012-10-30 Netapp, Inc. Integrating anti-virus in a clustered storage system
RU2446459C1 (en) * 2010-07-23 2012-03-27 Закрытое акционерное общество "Лаборатория Касперского" System and method for checking web resources for presence of malicious components
GB2506622A (en) * 2012-10-04 2014-04-09 Ibm Anti-virus data management

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040068664A1 (en) * 2002-10-07 2004-04-08 Carey Nachenberg Selective detection of malicious computer code
US20120246729A1 (en) * 2011-03-24 2012-09-27 Samsung Electronics Co., Ltd. Data storage devices including integrated anti-virus circuits and method of operating the same

Also Published As

Publication number Publication date
US20140101766A1 (en) 2014-04-10
GB201217732D0 (en) 2012-11-14
US20160019390A1 (en) 2016-01-21
US9189625B2 (en) 2015-11-17
US9536085B2 (en) 2017-01-03

Similar Documents

Publication Publication Date Title
US8495037B1 (en) Efficient isolation of backup versions of data objects affected by malicious software
US9690794B2 (en) System and method for backing up data
TWI434195B (en) Method and computer program product for managing virus and backup filtration processes
US20100306176A1 (en) Deduplication of files
US8504528B2 (en) Duplicate backup data identification and consolidation
US20150154398A1 (en) Optimizing virus scanning of files using file fingerprints
US20100174881A1 (en) Optimized simultaneous storing of data into deduplicated and non-deduplicated storage pools
US20070260643A1 (en) Information source agent systems and methods for distributed data storage and management using content signatures
US20080195676A1 (en) Scanning of backup data for malicious software
US10430281B2 (en) Space efficient cascading point in time copying
US20120124007A1 (en) Disinfection of a file system
US9536085B2 (en) Data management of potentially malicious content
EP3465520A1 (en) Virus detection technologies benchmarking
US8863287B1 (en) Commonality factoring pattern detection
US8347388B1 (en) System and method for orchestrating services
US10929338B2 (en) Maintaining access control lists in non-identity-preserving replicated data repositories
US9342550B1 (en) Systems and methods for preventing data loss via temporary-file generating applications
US11163748B1 (en) Fingerprint backward compatibility in deduplication backup systems
US10389743B1 (en) Tracking of software executables that come from untrusted locations
US8756201B1 (en) File type databases
US8595243B1 (en) Systems and methods for deduplicating archived data
US8676764B1 (en) File cluster creation
KR102039498B1 (en) System and methdo for isolating malicious code
WO2007015266A2 (en) System and method of time based hierarchical storage management

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)